Re: “Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
- Date: Thu, 4 Jan 2018 12:54:22 -0600
- From: Nicholas Geovanis <nickgeovanis@xxxxxxxxx>
- Subject: Re: “Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
I was hoping to be retired before this happened......
All of AWS EC2 is rebooting today by 4pm UTC
AppArmor everywhere: Can't trust the hardware to do it right. Clowns! Buffo!
On Thu, Jan 4, 2018 at 12:19 PM, Michael Fothergill
> On 4 January 2018 at 17:55, The Wanderer <wanderer@xxxxxxxxxxx> wrote:
>> On 2018-01-04 at 12:30, Michael Fothergill wrote:
>> > On 4 January 2018 at 17:22, Curt <curty@xxxxxxx> wrote:
>> >> https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-
>> >> processor-has-unfixable-security-fladdws/U
>> >> TL;DR
>> >> Windows, Linux, and macOS have all received security patches that
>> >> significantly alter how the operating systems handle virtual memory in
>> >> order to protect against a hitherto undisclosed flaw.
>> >> ...
>> >> In the immediate term, it looks like most systems will shortly have
>> >> patches for Meltdown. At least for Linux and Windows, these patches
>> >> allow end-users to opt out if they would prefer. The most vulnerable
>> >> users are probably cloud service providers; Meltdown and Spectre can
>> >> both in principle be used to further attacks against hypervisors,
>> >> making it easier for malicious users to break out of their virtual
>> >> machines.
>> >> ...
>> >> For typical desktop users, the risk is arguably less significant.
>> >> While
>> >> both Meltdown and Spectre can have value in expanding the scope of an
>> >> existing flaw, neither one is sufficient on its own to, for example,
>> >> break out of a Web browser.
>> >> Apparent moral of story for CPU: don't speculate (but it's
>> >> significantly
>> >> *slower*).
>> > Isn't this mainly an Intel problem? I use AMD chipsets. I would go for
>> > Ryzen nowadays anyway.
>> Meltdown so far is not known to affect anything other than Intel.
>> Spectre, however, is confirmed to affect AMD CPUs - and Ryzen CPUs are
>> specifically stated to be affected.
> But if the spectre vulnerability is hard exploit in practice and even in
> artificial test situations devised e.g. in the world of Linus Torvalds then
> AMD could turn out to be relatively cyber-kosher in the end.
>> The Wanderer
>> The reasonable man adapts himself to the world; the unreasonable one
>> persists in trying to adapt the world to himself. Therefore all
>> progress depends on the unreasonable man. -- George Bernard Shaw